The problem comes when we want to allow more than one person to rename files
or directories at the same time. Imagine that you rename the /clinton
directory, which contains hundreds of thousands of files. Meanwhile, another
user renames the single file /clinton/projects/elasticsearch/README.txt.
That user’s change, although it started after yours, will probably finish more
quickly.

One of two things will happen:

You have decided to use version numbers, in which case your mass rename
will fail with a version conflict when it hits the renamed
README.txt file.

You didn’t use versioning, and your changes will overwrite the changes from
the other user.

The problem is that Elasticsearch does not support
ACID transactions. Changes to
individual documents are ACIDic, but not changes involving multiple documents.

If your main data store is a relational database, and Elasticsearch is simply
being used as a search engine or as a way to improve performance, make
your changes in the database first and replicate those changes to
Elasticsearch after they have succeeded. This way, you benefit from the ACID
transactions available in the database, and all changes to Elasticsearch happen
in the right order. Concurrency is dealt with in the relational database.

If you are not using a relational store, these concurrency issues need to
be dealt with at the Elasticsearch level. The following are three practical
solutions using Elasticsearch, all of which involve some form of locking:

Global Locking

Document Locking

Tree Locking

The solutions described in this section could also be implemented by applying the same
principles while using an external system instead of Elasticsearch.

We can avoid concurrency issues completely by allowing only one process to
make changes at any time. Most changes will involve only a few files and will
complete very quickly. A rename of a top-level directory may block all other
changes for longer, but these are likely to be much less frequent.

Because document-level changes in Elasticsearch are ACIDic, we can use the
existence or absence of a document as a global lock. To request a
lock, we try to create the global-lock document:

PUT /fs/lock/global/_create
{}

If this create request fails with a conflict exception,
another process has already been granted the global lock and we will have to
try again later. If it succeeds, we are now the proud owners of the
global lock and we can continue with our changes. Once we are finished, we
must release the lock by deleting the global lock document:

DELETE /fs/lock/global

Depending on how frequent changes are, and how long they take, a global lock
could restrict the performance of a system significantly. We can increase
parallelism by making our locking more fine-grained.

Instead of locking the whole filesystem, we could lock individual documents
by using the same technique as previously described.
We can use a scrolled search to retrieve all documents that would be affected by the change and
create a lock file for each one:

The ID of the lock document would be the same as the ID of the file
that should be locked.

The process_id is a unique ID that represents the process that
wants to perform the changes.

If some files are already locked, parts of the bulk request will fail and we
will have to try again.

Of course, if we try to lock all of the files again, the create statements
that we used previously will fail for any file that is already locked by us!
Instead of a simple create statement, we need an update request with an
upsert parameter and this script:

If the document doesn’t already exist, the upsert document is inserted—much
the same as the previous create request. However, if the
document does exist, the script looks at the process_id stored in the
document. If the process_id matches, no update is performed (noop) but the
script returns successfully. If it is different, assert false throws an exception
and you know that the lock has failed.

Once all locks have been successfully created, you can proceed with your changes.

Afterward, you must release all of the locks, which you can do by
retrieving all of the locked documents and performing a bulk delete:

The refresh call ensures that all lock documents are visible to
the search request.

You can use a scroll query when you need to retrieve large
numbers of results with a single search request.

Document-level locking enables fine-grained access control, but creating lock
files for millions of documents can be expensive. In some cases,
you can achieve fine-grained locking with much less work, as shown in the
following directory tree scenario.

Rather than locking every involved document as in the previous example, we
could lock just part of the directory tree. We will need exclusive access
to the file or directory that we want to rename, which can be achieved with an
exclusive lock document:

{ "lock_type": "exclusive" }

And we need shared locks on any parent directories, with a shared lock
document:

{
"lock_type": "shared",
"lock_count": 1
}

The lock_count records the number of processes that hold a shared lock.

A process that wants to rename /clinton/projects/elasticsearch/README.txt
needs an exclusive lock on that file, and a shared lock on /clinton,
/clinton/projects, and /clinton/projects/elasticsearch.

A simple create request will suffice for the exclusive lock, but the shared
lock needs a scripted update to implement some extra logic:

Now, if somebody else wants to rename the /clinton directory, they would
have to gain an exclusive lock on that path:

PUT /fs/lock/%2Fclinton/_create
{ "lock_type": "exclusive" }

This request would fail because a lock document with the same ID already
exists. The other user would have to wait until our operation is done and we
have released our locks. The exclusive lock can just be deleted:

DELETE /fs/lock/%2Fclinton%2fprojects%2felasticsearch%2fREADME.txt

The shared locks need another script that decrements the lock_count and, if
the count drops to zero, deletes the lock document:

if (--ctx._source.lock_count == 0) {
ctx.op = 'delete'
}

Once the lock_count reaches 0, the ctx.op is changed from update
to delete.

This update request would need to be run for each parent directory in reverse
order, from longest to shortest:

Tree locking gives us fine-grained concurrency control with the minimum of
effort. Of course, it is not applicable to every situation—the data model
must have some sort of access path like the directory tree for it to work.

None of the three options—global, document, or tree locking—deals with
the thorniest problem associated with locking: what happens if the process
holding the lock dies?

The unexpected death of a process leaves us with two problems:

How do we know that we can release the locks held by the dead process?

How do we clean up the change that the dead process did not manage to complete?

These topics are beyond the scope of this book, but you will need to give them
some thought if you decide to use locking.

While denormalization is a good choice for many projects, the need for locking
schemes can make for complicated implementations. Instead, Elasticsearch
provides two models that help us deal with related entities:
nested objects and parent-child relationships.